By Gang Chen & Wen Xin Lim

Xi Jinping’s Economic Cybersecurity Agreement with Barack Obama

During Chinese President Xi Jinping’s state visit to the United States, he reached an agreement with US President Barack Obama on 25 September 2015 to curb “cyber-enabled theft of intellectual property”,1 marking the first of such formal agreements between the two countries. The new agreement will be enforced by the “CERT-to-CERT agreement” — that is, direct cooperation between Chinese and American law enforcement officials. US law enforcement will now be able to call up their Chinese counterparts and expect investigations and possibly even arrests, if American commercial secrets are stolen.

Cybersecurity has long been a contentious issue between China and the United States. For more than a decade, the United States has consistently charged China or its entities with being one of the main perpetrators of cyber-enabled commercial espionage against it, claiming that this cyber espionage by China represented “the greatest transfer of wealth in human history.”2 In 2013, US companies reported that the Shanghai-based People's Liberation Army (PLA) Unit 61398 was traced to have engaged in frequent cyberwarfare against American corporations and government agencies. China has denied all accusations that the Chinese government or military forces had orchestrated cyberattacks against US firms or government agencies.

The agreement is a diplomatic success for the United States as the superpower has persuaded the rising power to clamp down on alleged economic cyberthefts from the Chinese side that have posed serious threats to US business interests and economic security. The agreement, through elevating the importance of cyber diplomacy to a new height in bilateral relationship, may temporarily ease the tension between China and the United States over the issue, and help improve the overall bilateral relationship.

Nevertheless, the agreement itself is far from being effective enough to curb the rampant cyber espionage activities due to the complexity of cyber issues, difficulty of enforcement and lack of mutual trust between the world’s two largest economies. The pact may not be effective in curbing pervasive Chinese cyber espionage aimed at extracting US intellectual property and commercial intelligence3 as there were questions about the extent to which it was orchestrated by the Chinese government.4 The two countries will need to continue work on an overarching cyber doctrine and define the limits of acceptable behavior in cyberspace.

China and the US’ Escalating Tension over Cybersecurity

Cybersecurity has been a contentious issue between China and the United States. The United States and China are the two pivotal players in cybersecurity sphere. A mistrust between the two states in the cyber realm can generate negative influence on the long-term strategic intentions of both countries.

China and the United States had made little progress in terms of cybersecurity until Xi’s 2015 state visit. Even as the leaders forged deals on climate change, trade and defense, common ground on cybersecurity was limited.5 Growing tension over cyber issues can erode strategic trust and cause growing suspicion.

According to US Cyber Command and the National Security Agency, China is considered the major threat to US weapons systems on cyber space.6

Over the past decade, Chinese military hackers have allegedly penetrated major defense contractors involved in cutting edge weapons systems, including the fifth generation F-35 Joint Strike Fighter and gas pipeline control systems.7

Since 2013, US security companies have reported that the PLA Unit 61398 in Shanghai was traced to have engaged in frequent cyberwarfare against American corporations and government agencies.8 The increasing tension has also been a problem for US tech companies. While US tech giants such as Apple, Microsoft and Google would like to expand into the enormous Chinese market, they have accused China of widespread snooping into their operations.

The simmering tensions boiled over in February 2015 when the tech sector was required to install Chinese encryption standards that give officials full access to company data.9 A massive coalition of trade groups appealed to the Chinese government and the White House, arguing that the rules would inhibit their ability to operate.10

Xi Jinping's visit to the United States in September 2015 came as the United States and China had been accusing each other of breaking into critical computer systems, stealing data and threatening private and public networks.11 Inextricably, cybersecurity dominated the agenda of Xi's visit. Even before Xi arrived in Washington, the United States and China had been engaged in urgent negotiations on a cybersecurity deal weeks prior to the visit.

A week before Xi's visit to the United States, President Barack Obama gave a stern warning to Chinese President Xi Jinping that the United States will consider any instance of state-sponsored industrial espionage an “act of aggression”.12 President Obama alluded possible sanctions against Chinese hackers, telling Chinese officials in private that the combination of intellectual property theft and espionage on an unprecedented scale — the breach of the 22 million security dossiers from the US federal government’s Office of Personnel Management in June 2015 — cannot go unanswered.13

The United States has repeatedly drew a distinct line between government intelligence gathering and state-sponsored cyberattacks and thefts from corporate firms for commercial interests, which President Obama considered as an “act of aggression” and crime.14 China, on the other hand, denied all allegations of cyber intrusion made by the Pentagon. As Xi restated before his US state visit: “Cyber theft of commercial secrets and hacking attacks against government networks are both illegal; such acts are criminal offences and should be punished according to law and relevant international conventions”.15 He also stressed that “China and the United States share common concerns on cybersecurity. China is ready to strengthen cooperation with the US side on this issue”.16

At the eighth annual US-China Internet Industry Forum held at Microsoft's conference center on September 23, 2015, President Xi met with internet titans and CEOs. Among those who attended the meeting were Apple CEO Tim Cook, Amazon’s Jeff Bezos, Alibaba’s Jack Ma and Facebook’s Mark Zuckerberg. Lu Wei, director of the Central Leading Group for Internet Security and Informatisation, China's top cyber policy-making body, reiterated a long-standing Chinese line at the Forum: that both China and the United States are victims of cyber hackers and cyber criminals.17

China’s Cybersecurity Strategy

China’s cyber policy is driven primarily by the domestic political imperative of ensuring the survival of the Chinese Communist Party (CCP). Since 1991, the People’s Republic of China has increasingly funded, developed, acquired and employed advanced cyber technology in its government, military and civil sectors.18 Senior CCP officials have also issued high-level directives and created several high-level Leading Groups and Leading Small Groups to provide coordination and strategic guidance on cybersecurity (see Table 1).

Table 1. Major High Level Groups on Network Security

Name

Year Established

Significance

State Informatization

Leading Group

1993, reinstituted in 2001

1993, reinstituted in 2001, but without any record of meetings between 2008 and January 2014

State Network and Information Security Coordination Small Group

2003

Staffed by senior government and military representatives, this small group focuses particularly on information security

National Security Commission

2013

With Xi Jinping at the helm, this group is a high priority for Xi and other senior officials; it focuses on domestic security concerns, of which network security is a consideration

Central Network Security and Informatization Leading Small Group

2014

Similarly with the National Security Commission, this group is important because of Xi Jinping’s involvement; it prioritises network security in national security considerations

Many formal documents relevant to cybersecurity have been promulgated and published to tighten internet safety since the early 1990s (Table 2). As policies and stakeholders addressing network security grew, strategic direction for policy became more diversified, including input from the State Council, Central Committee (including Politburo Standing Committee and Central Military Commission) and Leading Small Groups (informal consultative bodies that advise the Politburo and State Council).

Table 2. Chinese Documents on Managing Cybersecurity

Document Title

Actor

Year

Significance

Military Strategic Guidelines

People's Liberation Army

1956, 1980, 1993

Authoritative documents that represent the PLA’s strategic priorities and objectives in modernization, force structure and organization; provide insight into how the PLA would wage a war

Indicates priorities of the central government arm that is responsible for information security, telecommunications, the internet, and the research and development of electronic and information technology products; this plan highlights investment in the protection of government information systems

The Science of Military Strategy

Academy of Military Science

Latest edition:2013

Strategic thought on how the PLA would prepare, prevent and wage a war

White Paper: The Diversified Employment of China's Armed Forces

Chinese Government (civilian and military)

2013

Authoritative documents that represent both the PLA and civilian government on China's domestic and national security policies, stipulate national security interests in cyberspace and the possibility of deploying military forces in cyberspace

“Opinion on Further Strengthening Military Information Security Work”

Xi Jinping, Central Military Commission

2014

Sets forth the guidelines, basic principles, key tasks and support measures for military information security work

The establishment of a National Security Commission (中央国家安全委员会) in 2013 was especially significant. Yet to date, responsibilities for China’s cybersecurity had been divided among different departments, hampering effectiveness.19

After President Xi took over the helm, he has emphasized cybersecurity and viewed internet safety as a top priority for national security. At the US-China Summit held in June 2013 in California, one of the topics on the agenda was cybersecurity. US President Barack Obama pressed President Xi to address cyber espionage originating from China and, in particular, state-funded industrial espionage against US companies.

China responded to the United States in February 2014 by forming the Central Leading Group for Network Security and Informatisation (中央网络安全和信息化领导小组), personally chaired by President Xi. Premier of the State Council Li Keqiang and First-ranked Secretary of the Central Secretariat Liu Yunshan were appointed vice chairpersons (deputy leaders). The new leading group, headed by Xi himself, is expected to streamline things by providing top-level guidance. He considers this an important national strategy for China to “establish a strong and authoritative mechanism at the central level” to deal with China’s cybersecurity. 20 In February 2014, China’s new Central Network Security and Informatization Leading Group met for the first time, with President Xi chairing the meeting.

Despite high-level guidance and strategic direction from Xi and senior civilian and military officials, overlapping bureaucratic priorities and competing stakeholder interests across regions and functionalities in China’s network prevail.21 In terms of definition, while the United States uses the term “cybersecurity” to refer to the protection and defense of a wide array of electronic and communications information, China uses the term “network security” (网络安全) to refer more specifically to the protection of digital information networks.22 The term “information security” (信息安全) refers to a broader perspective. Such misconceptions and differences in terms used by both sides could exacerbate the gaps between the two countries in terms of cyberspace agreement.

Cyberattack: An Increasing Threat

Since the beginning of the 21st century, cyberattacks have increased steadily both in frequency and scale. The vulnerabilities of cyberspace have let sophisticated cyber actors and nation-states conduct cybercrimes that could possibly disrupt the delivery of essential services and even jeopardize states’ relations.

Cybercriminals have learnt new ways to evade detection by bypassing traditional defense mechanism. A slew of orthodox crimes are now being perpetrated through cyberspace in different forms. This includes the production and distribution of child pornography, banking and financial fraud, intellectual property violations, cyberattacks and other crimes, all of which have substantial political and economic consequences.

In the meantime, malware has become a multinational activity. Over the past year, callbacks were sent to CnC servers in 184 countries, compared to 130 countries in 2010.23 Xinhua also pointed out that nearly 90,000 individual IP addresses suffered attacks from foreign Trojan horse viruses or zombie programs in 2013.24

Of growing concern is the cyber threat to critical infrastructure, which is increasingly subject to sophisticated cyber intrusions that pose new risks.25 As information technology becomes increasingly integrated with physical infrastructure operations, there is increased risk of wide-scale or high-consequence events causing harm or disrupting services.26

As the threat posed by cyberattack escalates, cybersecurity is becoming increasingly important for the military industry as it jeopardizes national security. Military hackers can penetrate the cutting edge weapon system and conduct information-based attacks and put a country’s defense at risk. The United States is a prime target for cyberattack due to the high volume and concentration of intellectual property and digitalised data.27 According to US Cyber Command and the National Security Agency, China has been singled out as the major threat to US weapons systems.28 China was also accused of purportedly unleashing a series of gigantic cyber-assaults on more than 600 US private, government and corporate organizations.29 In the second half of 2009, many corporate entities including Google were subjected to hacking attacks, causing it to suspend its operation in China.

Cyberspace is particularly difficult to secure due to a number of factors: the ability of malicious actors to operate from anywhere in the world, the linkages between cyberspace and physical systems, and the difficulty of reducing vulnerabilities and consequences in complex cyber networks.30 In light of the risks and potential consequences of cyber events, building a resilient cyber force and cybersecurity has become the top priority of many big powers.

Challenges and the Next Lap

With the rapid development of information technology, the internet plays an increasingly crucial role in the globalized world today. China and the United States have reached certain consensus on the basic principles of network governance. However, as cybersecurity and defense remain a matter of national security and national defense, the two countries displayed caution, fear and distrust.

China and the United States have differing views on the role of cyberspace now and in the future. To the United States, social networking and other online activities can be viewed as giving greater freedom of speech and a positive development. However, in China this very same area is seen as a threat to the legitimacy and governance of CCP. Their views on intelligence gathering, economic espionage and intellectual property also differ.

While the Chinese support the concept of cyber sovereignty, which is the right to control its own cyberspace, the United States wants China to agree to international norms that would reduce China’s level of control over its own internet.

For the cybersecurity issue to be resolved, the two countries would need to be more accommodative about disagreements and differences. Without establishing a mutual understanding or agreement on this issue, it is unlikely that cybersecurity issue could be solved at the international level. At the strategic level, China and the United States are still wary of each other and fully geared to avoid any potential threats from the internet realm. Retaliation or tit-for-tat could lead to instability or even an open warfare.

As cybersecurity is a brand new issue and challenge, joint endeavors are needed between governments, media, enterprises and other stakeholders. China and the United States as the two pivotal countries in the internet sphere could collaborate to explore important common interests and room for cooperation.

On the positive side, this could possibly create a new bright spot in bilateral cooperation. For example, Chinese internet security company, Qihu 360, has helped fix five new bugs in the Windows software package recently. To date, Qihu has received 86 public commendations from Microsoft for its contributions to the security of Microsoft products.

In March 2015, China's largest e-commerce platform Alibaba's first overseas data center in Silicon Valley began its trial operations to help provide cloud services to overseas clients, especially those in North America. Through the data center, American companies enjoy easy access to cloud services from China and vice versa.31

While the US-China agreement in September 2015 is a welcome first step towards a resolution to cybersecurity threats, it also brings to light the greater issue facing the two countries — that the international cyberspace is an ungoverned space. The two countries will have to continue to work on an overarching cyber doctrine and define the limits of acceptable behavior in cyberspace.Notes1. The new US-China cybersecurity agreement: a brief guide. (25 September 2015). Vox World.

3. “Commercial intelligence” is defined by the White House as intelligence collected “with the intent of providing competitive advantages to companies or commercial sectors”. This differs from economic espionage, which most states undertake to protect and advance national economic interests. See: China-US cyber agreements: Has Beijing outmaneuvered Washington? (28 September 2015). The Diplomat.